Capture a packet trace using Terminal on your Mac

If you know how to read a packet trace, you may find it useful when diagnosing issues with a network connection.

Get the BSD device name of the network interface

Log in to your Mac with an administrator account.

While holding down the Option key, then choose Apple menu () > System Information (or System Profiler).

Select Network from the list on the left side of the System Information window.

Select the network interface (such as Wi-Fi or Ethernet) from the list of active services on the right side of the window.

From the details section at the bottom of the window, find "BSD Device Name." In the example pictured, the BSD device name for Wi-Fi is en0.

Capture the packet trace

Open Terminal, which is in the Utilities folder of your Applications folder,.

Type the following command, but replace BSDname with the BSD device name (such as en0, en1, or ppp0) from System Information:

sudo tcpdump -i BSDname -s 0 -B 524288 -w ~/Desktop/DumpFile01.pcap

Press Return, then enter your administrator password when prompted.

Terminal should say tcpdump: listening on... to indicate that it's listening for activity on that network interface.

While Terminal is open, perform the network function that you want to test.

When the network function is complete, return to Terminal and press Control-C to capture the packet trace. Terminal saves it to your desktop in a file named "DumpFile01.pcap."

To see the contents of the file, use this command in Terminal:

tcpdump -s 0 -n -e -x -vvv -r ~/Desktop/DumpFile01.pcap

To capture additional packet traces, modify the Terminal command to increment the number of the saved file (such as DumpFile02.pcap and DumpFile03.pcap).

Learn more

The Apple Developer website has more information about packet traces. When troubleshooting a network connection, you should know your computer's model, macOS version, IP address (and the destination IP address), and media access control (MAC) address. You should also understand your computer's role in the network activity, as well as the time of each network event associated with the issue.

When troubleshooting the connection between an AirPort Base Station and a broadband modem, restart the base station and capture its interactions with the Internet service provider while it starts up. You can restart the base station using AirPort Utility, or by briefly unplugging it from power. While testing, it's best if the base station, modem, and capturing computer are connected to an Ethernet hub, not a switch. You should also manually assign the capturing computer's IP address so that it doesn't take the DHCP lease that the base station needs (a 169.254.x.x address should suffice).

The packet trace may show that the TCP checksum of packets sent by the Mac is bad. This is because the packet trace is being captured at the link layer of the network stack, which is just before the physical network adapter where checksums are generated. This can be safely ignored.